Commit eea2647e authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'x86-entry-2021-04-26' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 

Pull entry code update from Thomas Gleixner:
 "Provide support for randomized stack offsets per syscall to make
  stack-based attacks harder which rely on the deterministic stack
  layout.

  The feature is based on the original idea of PaX's RANDSTACK feature,
  but uses a significantly different implementation.

  The offset does not affect the pt_regs location on the task stack as
  this was agreed on to be of dubious value. The offset is applied
  before the actual syscall is invoked.

  The offset is stored per cpu and the randomization happens at the end
  of the syscall which is less predictable than on syscall entry.

  The mechanism to apply the offset is via alloca(), i.e. abusing the
  dispised VLAs. This comes with the drawback that
  stack-clash-protection has to be disabled for the affected compilation
  units and there is also a negative interaction with stack-protector.

  Those downsides are traded with the advantage that this approach does
  not require any intrusive changes to the low level assembly entry
  code, does not affect the unwinder and the correct stack alignment is
  handled automatically by the compiler.

  The feature is guarded with a static branch which avoids the overhead
  when disabled.

  Currently this is supported for X86 and ARM64"

* tag 'x86-entry-2021-04-26' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  arm64: entry: Enable random_kstack_offset support
  lkdtm: Add REPORT_STACK for checking stack offsets
  x86/entry: Enable random_kstack_offset support
  stack: Optionally randomize kernel stack offset each syscall
  init_on_alloc: Optimize static branches
  jump_label: Provide CONFIG-driven build state defaults
parents 6f78c2a7 70918779

Documentation/admin-guide/kernel-parameters.txt

+11 −0
Original line number Diff line number Diff line
@@ -4061,6 +4061,17 @@ 
			fully seed the kernel's CRNG. Default is controlled

			by CONFIG_RANDOM_TRUST_CPU.



	randomize_kstack_offset=

			[KNL] Enable or disable kernel stack offset

			randomization, which provides roughly 5 bits of

			entropy, frustrating memory corruption attacks

			that depend on stack address determinism or

			cross-syscall address exposures. This is only

			available on architectures that have defined

			CONFIG_HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET.

			Format: <bool>  (1/Y/y=enable, 0/N/n=disable)

			Default is CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT.



	ras=option[,option,...]	[KNL] RAS-specific options



		cec_disable	[X86]

Makefile

+4 −0
Original line number Diff line number Diff line
@@ -813,6 +813,10 @@ KBUILD_CFLAGS += -ftrivial-auto-var-init=zero 
KBUILD_CFLAGS	+= -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang

endif



# While VLAs have been removed, GCC produces unreachable stack probes

# for the randomize_kstack_offset feature. Disable it for all compilers.

KBUILD_CFLAGS	+= $(call cc-option, -fno-stack-clash-protection)



DEBUG_CFLAGS	:=



# Workaround for GCC versions < 5.0

arch/Kconfig

+23 −0
Original line number Diff line number Diff line
@@ -1054,6 +1054,29 @@ config VMAP_STACK 
	  backing virtual mappings with real shadow memory, and KASAN_VMALLOC

	  must be enabled.



config HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET

	def_bool n

	help

	  An arch should select this symbol if it can support kernel stack

	  offset randomization with calls to add_random_kstack_offset()

	  during syscall entry and choose_random_kstack_offset() during

	  syscall exit. Careful removal of -fstack-protector-strong and

	  -fstack-protector should also be applied to the entry code and

	  closely examined, as the artificial stack bump looks like an array

	  to the compiler, so it will attempt to add canary checks regardless

	  of the static branch state.



config RANDOMIZE_KSTACK_OFFSET_DEFAULT

	bool "Randomize kernel stack offset on syscall entry"

	depends on HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET

	help

	  The kernel stack offset can be randomized (after pt_regs) by

	  roughly 5 bits of entropy, frustrating memory corruption

	  attacks that depend on stack address determinism or

	  cross-syscall address exposures. This feature is controlled

	  by kernel boot param "randomize_kstack_offset=on/off", and this

	  config chooses the default boot state.



config ARCH_OPTIONAL_KERNEL_RWX

	def_bool n

arch/arm64/Kconfig

+1 −0
Original line number Diff line number Diff line
@@ -146,6 +146,7 @@ config ARM64 
	select HAVE_ARCH_MMAP_RND_COMPAT_BITS if COMPAT

	select HAVE_ARCH_PFN_VALID

	select HAVE_ARCH_PREL32_RELOCATIONS

	select HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET

	select HAVE_ARCH_SECCOMP_FILTER

	select HAVE_ARCH_STACKLEAK

	select HAVE_ARCH_THREAD_STRUCT_WHITELIST

arch/arm64/kernel/Makefile

+5 −0
Original line number Diff line number Diff line
@@ -9,6 +9,11 @@ CFLAGS_REMOVE_ftrace.o = $(CC_FLAGS_FTRACE) 
CFLAGS_REMOVE_insn.o = $(CC_FLAGS_FTRACE)

CFLAGS_REMOVE_return_address.o = $(CC_FLAGS_FTRACE)



# Remove stack protector to avoid triggering unneeded stack canary

# checks due to randomize_kstack_offset.

CFLAGS_REMOVE_syscall.o	 = -fstack-protector -fstack-protector-strong

CFLAGS_syscall.o	+= -fno-stack-protector



# Object file lists.

obj-y			:= debug-monitors.o entry.o irq.o fpsimd.o		\

			   entry-common.o entry-fpsimd.o process.o ptrace.o	\